November 2, 1999
Web posted at: 9:29 a.m. EST (1429 GMT)

Some industry observers believe that, if the practice continues to escalate unchecked, it could eventually erode users' buying confidence and negatively affect corporations' e-commerce revenues.

But while the bad guys appear to have a technical head start, good guys responsible for coming up with preventative security cures are starting to appear. Inspective Systems, formerly known as Factpoint, a small software company in Burlington, Mass., will release by the end of the year its Trustsite Solution, which officials claim is the first content-certification program for Web sites.

The solution basically sets up a separate certification server for each Web site and creates a digital fingerprint for each certified page and each piece of content. Another component of the package sets up a validation server that constantly monitors a site's certified content as each page is loaded.

	MESSAGE BOARD
How do you define a hacker?

Some observers believe that Inspective's product could play a significant role in softening the anxieties of both corporate users and consumers.

"What is interesting about what Factpoint [does, is that it provides] a way to ensure authentication. You can install software on your machine that verifies that what you have is what you think you have," said Carol Baroudi, senior strategist for electronic business at the Hurwitz Group, in Framingham, Mass.

"Many people using the Web have no understanding that just because you see it, doesn't mean it is true. [Webjacking] is becoming more and more pervasive as people begin to understand how to manipulate the Web. These incidences will rise considerably on both corporate and consumer levels," Baroudi said.

Still, the practice has become enough of a threat that Federal Trade Commission officials late last month announced that the commission would crack down on Webjackers, saying that it is now looking into its one hundredth related Internet case.

Although most analysts believe that tens of millions of dollars have already been hijacked from legitimate sites, none of them are willing to offer estimated figures on the losses. The problem is that few companies are willing to admit they have been victimized in a fraudulent scheme, either out of embarrassment or in fear of drawing the attention of more hackers.

"There is no way you announce to the world that someone has hacked your site. It's like sending out an invitation to 'Hacker Central' to take another whack at you," said one IT executive at a large East Coast publisher.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Feds crack down on Web hijackers
Busted: PairGain engineer charged for securities fraud
House passes cybersquatting bill
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

Unfortunately, redirecting traffic from a legitimate Web site is easy to do. In many cases, it involves copying a Web site's opening page. Then, with just a few lines of code, hackers can get all of a site's HTML links to point to an illegitimate site. In other cases, it is a matter of adding just a few meta tags to a popular search engine used to find Web sites.

"Essentially, [hackers] are inserting themselves in the middle. They will gladly pose as legitimate. Eventually, they are hoping you will add things to their site's shopping cart," commented Charles Palmer, manager of network security and cryptography at IBM's T.J. Watson Research Center, in Yorktown Heights, N.Y.

One result of this could be that hackers can steal credit card numbers from unsuspecting consumers and corporations' buying agents.

An even simpler approach for perpetrators is that for less than $100, they can register the name of popular domains. By just changing an "o'' in a Web site name to a zero, they can set up a fraudulent site. Earlier this year, a would-be hacker registered the domain "Micr0soft,"

but it was discovered before any damage was done. However, there have been a handful of highly publicized cases. Earlier this year, hackers posted a false financial news story about PairGain, a California-based communications company, making it look as if the story appeared on the Bloomberg financial news service Web site.

The bogus story, which said that PairGain was being bought by a well known telecommunications company, sent PairGain's stock rocketing and then free-falling.

Ed Scannell is an InfoWorld editor at large.